Lawrence Teo

Testing Your Snort Rules Redux

Exactly four years ago, I blogged about testing Snort rules on
OpenBSD. That post
described a quick way to test if Snort has correctly loaded your rules and
whether it will emit an alert when it reads a matching packet.

But things have changed since then; for starters, the Snort rules I suggested in
that post have been disabled in the official Snort ruleset for a long time now,
so the instructions I wrote no longer work as-is.

That post also
suggested the installation of an ancient webserver called thttpd, which has
been removed
(for a very good reason!) from the OpenBSD ports tree.

A new version of that blog post is sorely needed, so here it is!

One note before we begin: While this post talks about testing Snort on
OpenBSD (specifically OpenBSD 6.0-current), the principles discussed here can
be applied to testing Snort on other operating systems like Linux. I highly
recommend OpenBSD though. :)

Test goals

Just like the earlier post, the goals of the test are to:

Confirm that you have actually loaded some rules

Ensure that your Snort setup can actually trigger alerts

Confirm that you are logging alerts to the right file

Note that this is just a simple test – we’re simply trying to confirm the above
instead of doing a thorough test against a Snort installation. After
all, it would be unwise to attempt a full all-out assault against Snort without
confirming the above!

We will do this simple test by setting up two hosts: the Snort host and an
“attacker” host. The Snort host will run snort and httpd (OpenBSD’s new
webserver; more on that below!), while the attacker host will generate a
“malicious” HTTP request that will match one of the rules on the Snort host and
trigger an alert.

Here’s how it looks like graphically:

Note the sample IP addresses because we’ll be referring to them below.

Now that you have admired my MoMA-worthy artistic creation, it’s time to
move on to installing Snort!

Installing Snort

Installing Snort is really easy on OpenBSD:

pkg_add snort

The pkg_add command will pull in dependent packages just like you expect it to.

Fetching Snort rules

Next, we grab some Snort rules to test. The steps here differ depending on
whether you have signed up for an oinkcode
at Snort.org or not.

For those unfamiliar with what an oinkcode is, it’s basically a registration
code that lets you fetch registered Snort rules from Snort.org. There are two
types of free rulesets at Snort.org:

A registered ruleset that needs the oinkcode; and

A community ruleset that does not need the oinkcode

Note that the registered ruleset also contains all the rules in the community
ruleset. The good news is the test rule that I will use in this blog post
is a community rule so it’s available in both rulesets. So it’s up to you
whether you would like to sign up for an oinkcode or not.

If you’re serious about learning and using Snort though, I recommend signing up
for the oinkcode.

Fetching test Snort rules with an oinkcode

If you have signed up for an oinkcode, simply read
/usr/local/share/doc/pkg-readmes/snort-2.x.x.x for the steps to
activate those rules. To summarize, here are the steps (assuming you’re
running Snort 2.9.8.3, the latest version at the time of writing):

You now have to edit /etc/snort/snort.conf and comment out all the
include $RULE_PATH/*.rules lines (since they are meant for the registered
ruleset) by adding a # character in front of those lines.

Now activate the community ruleset by adding this line:

include $RULE_PATH/community.rules

Starting Snort

Before starting Snort, check if you’re running Snort on a system with
multiple network interfaces. If you are, you’ll need to specify the network
interface you want Snort to listen on.

The best way to do this is to edit /etc/snort/snort.conf and add a line
like this (for example, to make Snort listen on the em0 interface):

config interface: em0

Now let’s fire up Snort!

/etc/rc.d/snort start

Start the webserver

Now we start the webserver. As mentioned earlier, the good news is OpenBSD
now comes with its own HTTP server called httpd, which makes it really
straightforward to get an OpenBSD box to serve HTTP without installing any
packages.

First, create a simple /etc/httpd.conf file:

ext_addr="*"
server "default" {
listen on $ext_addr port 80
}

That’s crazy simple, right?

Then start httpd:

/etc/rc.d/httpd -f start

You’ll need -f to force httpd to start because the line httpd_flags=NO is
in your /etc/rc.conf by default. If you wish to start httpd
on a permanent basis (i.e. for it to persist across reboots), change that line
in /etc/rc.conf to:

Congratulations! You have successfully confirmed that Snort has loaded its rules
and triggered an alert in the correct log file. Time to celebrate with a nice
cup of coffee.

Next steps

This post just describes a simple way to test a Snort rule. If you want to
fetch your Snort rules and manage them in a proper production environment,
I recommend using PulledPork.
This post from the Snort blog post describes why using PulledPork is
important.